Acoustic Cryptanalysis of RSA and Its Counter Measure

acousticalalal coding of RSA and Its Counter MeasureProf. J P Agrawal Saurabh Sharma Siddharth GuptaABSTRACTacousticals has come up as a new vulnerability in the field of t any(prenominal)ing security. The RSA encryption algorithm, although h very hard to break mathematic all in ally, has been broken of late by using acoustics and great power analysis of emanations. Acoustic Cryptanalysis is the berth- shift combat which invests writ of executions of cryptographic algorithms. The cryptographic algorithms argon quite secure at the mathematical level, but inadvertently leak recondite information through touchings in power consumption, electromagnetic emanations, timing variations, and acoustical emanations. This paper presents a software product base countermeasure which is based on application of specific mitigation techniques to keep in line that even if there is news leak of information it would bear minimal effective information.INTRODUCTIONAcoustic cryptanalysis i s a form of side line of products attack that aims at deriving the private primal in a public key cryptanalytics system using acoustical vibrations of a laptop. A side channel attack is basically an attack that gives assailant an incremental channel of information about the system, the noise generated by figurers is whizz such(prenominal) potential channel another(prenominal) channels include keystroke acoustic emanations, acoustic emanations from printers, power analysis via the USB port and timing attacks. Side channel attacks empennage only be performed on public key cryptography system because the encrypted text i.e. ciphers text depends upon the text that is encrypted. So while decoding the cipher text produces a unique acoustic spectrum which helps the attacker to cite the key.In this case we put our emphasis on a various source of computer noise i.e. vibration of electronic comp onenessnts like capacitors and transistors in the circuit of the processor. These aco ustic vibrations are related to the system activity since the amount of power drawn from the CPU depends upon the operation which is performed.As a take in case, we lead focus on the GnuPG (GNU Privacy Guard), a cross-platform, open-source implementation of the OpenPGP Standard. We will demonstrate a key extraction attack that underside extract 4096- sec RSA secret keys when used by GnuPG running on a laptop computer by analyzing the vibrations generated by the computer during decoding of elect cipher texts.RELATED WORKAnalysis of acoustical vibrations is relatively a newer practice commonly used in military context such as identification of vehicles through the sound signature of their engine. Similarly computer programmers monitor the functioning of their systems by listening to sound generated by mechanical components. Some of the successfully implemented experiments involving side channel attacks include electromechanical ciphers. Keyboard acoustic emanations. Acoustic ema nations from printers. Power analysis. Power analysis via the USB port. Timing attacks.THE experimental SETUP(A) laptop on which the decryption is being performed(B) BrelKjr 4190 microphone capsule mounted on a BrelKjr 2669 preamplifier held by a flexible arm.(C) BrelKjr 5935 microphone power supply and amplifier,(D) National Instruments MyDAQ device with a 10 kilocycle RC low-pass come home cascaded with a 150 kHz RC high-pass filter on its A2D input(E) laptop computer performing the attack.Here, the microphone power, amplification and some filtering are through with(p) by an integrated, battery operated BrelKjr 5935 microphone power supply. later on a self-built 10 kHz RC low-pass filter cascaded with a 150 kHz RC high-pass using capacitors and resistors, A2D conversion is done by the compact, USB-operated National Instruments MyDAQ device. The MyDAQ device captures at 200 K sample/sec. The BrelKjr 5935 amplifier is limited to a frequency of 100 kHz.OBSERVING THE ACOUSTIC LEA KAGE 1. Distinguishing various CPU operationsWe end distinguish between various operations performed by CPU by analyzing the low bandwidth outflow of acoustical emanations. Our analysis begins by taking into account simple operations like HLT (CPU sleep), MUL (integer multiplication), FMUL (floating-point multiplication), main keeping access (forcing L1 and L2 cache misses), and REP NOP (short-term idle). We concluded that these operations exhi part a unique frequency spectrum on execution.2. Distinguishing various code lengthsThese acoustical emanations can also determine the length of loop being executed. For example the leakage produced by a code executing 10000 ADD book of instructions in an infinite loop will have a distinguishable acoustic spectrum than a program executing 20000 ADD instructions in an infinite loop.3. Leakage sourceThe observed acoustical emanations are non caused by the rotation of the fan, hard seeks or audio speakers as it is support by disabling the se components. Rather it is caused by the capacitors and resistors in the power regularization circuit of the CPU. The precise source of the emanations is difficult to characterize, since it is different in any machine and it is typically located in hard to reach places. Acoustic localization is also difficult due to mechanical coupling of capacitors and resistors and because of acoustic reflections due to other components.PERFORMING THE ATTACKThe attacker channelises an encrypted email to the tar proceed machine. This email when received by the target machine undergoes the process of decryption so as to extract the data that has been sent. The email which is sent involves move a chosen ciphertext, it cannot have any random data in it. The data which is sent via the email has to be a specially crafted ciphertext. through with(predicate) this attack we try to get the q i.e. one of the prime factor of the key n.Enigmail provides an integrated graphical user interface and handles e-mail encoding and user interaction the actual cryptography is done by an extraneous GnuPG executable. Received e-mail mental objects are decrypted upon the users request. In addition and by default, Enigmail automatically decrypts incoming e-mail messages. Thus, an attacker can send a suitably-crafted e-mail message to the victim, containing a chosen ciphertext. When this e-mail message is fetched by the target computer, the attacker observes the acoustic emanations during decryption, and arrives a bit of the secret key. The attacker then sends additional e-mail messages, until all key bits are recovered. If the messages are backdated or made to look like spam messages, they whitethorn even go unnoticed. But this doesnt affects our attack as it will still be decrypted by the email client.Choosing the ciphertextq is a 2048 bit deedq2048 q2047 q2046 q2045 q2 q1GnuPG always generates RSA keys in which the most significant bit of q is set, i.e., q2048 = 1. Considering we know the low gear i-1 bits of qe.g. i=4 , we know q2048 q2047 q2046 =110Now we need to limit the future(a) bit of q , which can be 0 or 1So , we urinate a ciphertext with first i-1 bits equal to that of first i-1 bits of q, the next bit 0 and the remaining bits to be 1q2048 q2047 q2046 0 111111.11111 save the emmisions We use our experimental setup to move into the acoustic emissions that are created during the decryption. Placing the microphone with respect to the laptop body has a orotund influence on the obtained signal. Laptops have cooling system for heat dissipation. It has a fan that requires large intake of air and some exhaust holes. Also, there are other holes and gaps for ports such as USB, Express Card slot, SD card reader, and Ethernet port. Any of these ports can be used as a position for the microphone. Typically, the best microphone placement is near the Ethernet port or the fan exhaust vent.We record the sound using the LABVIEW software. We compute the sliding-window Fourier transform of the trace, yielding a ecological succession of spectra, and then aggregate these spectra by taking the median appraise of each bin. (The use of median effectively rejects temporally-local outliers, such as transient spikes.) The spectrum is substitute to the frequency range of interest (determined manually).Extracting the keyThe most significant bit of a prime number is always 1. Using this fact we create a desired ciphertext and obtain the power frequency templates for 0 and 1. Thus, if the attacker were to have two spectrum templates describing the leakage of zero and one bits, he could categorise an unknown signal by checking the likeity between it and the templates he has. Concretely, in our case a template is a vector of real metrical composition describing the signal power at each frequency bin. The classification is based on computing the correlation of the Fourier spectrum of the leakage with the two templates.Recall that q is chosen to be a prime such that its most significant bit is always set to one. Moreover, this information is known to an attacker. Thus, obtaining an example of a leakage of a one bit can be done by measuring the leakage resulting from the decryption of g20481. Obtaining an example of a leakage of a zero bit is more tricky. This is because the attacker does not know in advance the location of the first zero bit in q. However, this difficulty can be easily avoided. Consider any number l such that q 2048 1). Notice that the reduction of l modulo q is equivalent to computing l q and will cause the bits of the result to be random thus achieving a similar spectrum as the sound of zero bits of q at the beginning of the attack. later this we compare the data acquired with the templates of 0 and 1 and the output of the comparison gives one bit of the q. Then this attack has to repeated 2048 times to get all the bits of q.These templates are updated dynamically in the matter of 20 bits. After receiving the ac oustic spectrum of every attack bit we try to match the frequencies with the ones in the predefined templates. Whenever we get a matching frequency we check its corresponding time value for power if this value is in range according the given doorstep of the template we classify the bit as 0 or 1. By repeating this same procedure to attack every bit we obtain all the 2048 bits of prime q and in turn find the key.COUNTER valueCipher text randomization One countermeasure that is effective in tenia our attack ciphertext randomization. If we have a cipher text c, instead of decrypting c immediately what we can generate a 4096 bit random value r, compute re and then decrypt re* c and breed the result by r-1. Since ed = 1 mod (n)It does not stop the attacker from extracting the key but it masks the original key so that even if the attacker is able to extract the key he doesnt has the correct key.In implementation we have used the random program library of python. Using this library random.randint(range) generates a random integer which can be multiplied to the value of cipher text and it changes the acoustic spectrum of the ciphertext which masquerades the original key.why software based countermeasures are better than hardware based countermeasures? go for a proper layering can seem to be an effective countermeasure. Unfortunately, such low-level physical leakage prevention, is most of the times, impractical due to the importantly bad cost vs. security tradeoff because of the following reasons (1) Suitable economic consumption at the higher levels can amplify any leakage remnants, similar to what we do in our chosen-ciphertext attack(2) Low-level mechanisms try to protect all computation, even though most of it is insensitive or does not incur easily-exploitable leakage(3) Essential performance-enhancing mechanisms produce leakage as an inevitable side effect.REFRENCES1 M. Hanspach and J. Keller, In guards we trust Security and privacy in operating systems revisited,- in Proc. 5th ASE/IEEE International Conference on information Privacy, Security, Risk and Trust, cap D.C., USA IEEE, Sept 2013.2 M. Hanspach and M.Goetz, On Covert acoustical mesh mesh in air, revisited,- in ledger of Communications Vol. 8, No. 11, November 2013.3 R. Otnes, A. Asterjadhi, P. Casari, M. Goetz, T. Husy, I. Nissen, et al., Underwater Acoustic Networking Techniques, ser. Springer Briefs in Electrical and Computer Engineering, Springer, 2012.4 R. Frankland, Side channels, whippy emanations and surveillance Current and future technologies,- Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, England, Tech. Rep., Mar. 2011.5 Daniel Genkin, Adi Shamir, Eran Tromer, RSA Key bloodline via Low-Bandwidth Acoustic Cryptanalysis December 18, 2013.6Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications the insecurity of 802.117 H. E. sea bass and Roy G. Keeton. Ultrasonic absorption in air at eleva ted temperatures. The Journal of the Acoustical Society of America.8Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 31(4)469472, 1985.1